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SECURITY MONITOR OF SYSTEM RUNS SOFTWARE SIMULATOR IN PARALLEL 

FIELD OF THE INVENTION 

The invention relates to security measures against viruses and hackers attempting to 
attack an electronic system with distributed functionalities. The invention relates in particular, 
but not exclusively, to a home network environment. 

BACKGROUND ART 

Security of computer systems and networks is being challenged by hackers and by 
computer viruses. 

The term "hacking" is colloquially being used to refer to attempting to gain unauthorized 
access to another party's computer system or network. Although not all hackers have malicious 
purposes, such security breaches can have serious consequences if it leads to stealing or 
corrupting electronic information or to crashing the system. 

A virus is a piece of code that gets loaded onto the computer system and executed without 
the user knowing about it. A typical example of a virus is a program that replicates itself. A 
possible hazard of such a virus is that it quickly occupies all available memory, thus bringing the 
system to a halt. If the virus is capable of transmitting itself across networks and bypasses 
security systems it can spread the disaster. 

SUMMARY OF THE INVENTION 

With the advent of home networks and home gateways, security against hackers and 
viruses is also becoming a concern to consumers in a domestic environment. A home network 
couples apparatus in a control network and/or communication network. These networks often 
also provide Internet access and cover mobile users via wireless modems, thus exposing the 
home to unauthorized electronic access from outside. 

The invention provides, among other things, a solution to this security problem. More 
particularly, the invention considers a distributed information processing system that comprises a 
cluster of interacting devices or appliances forming, e.g., a home network. The devices or 
appliances have finite state machines (FSM's) onboard for the purpose of monitoring the cluster's 
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integrity. The system has a control server running a simulator of the cluster's FSM's. Each 
respective device's FSM calculates per time step a respective numerical value that depends on the 
values of the other devices' FSM's in the previous step, on the respective device's internal 
state(e.g., based on the device's memory's and I/O message buffers' content), and on a history of 
the previous values. This mathematical relationship is chosen such that it causes the collection of 
FSM's to behave as if they formed a dynamic non-periodic stochastic process. The simulator 
does the same on the server. The results of the simulator and the devices' FSM's should be 
identical. Upon a mismatch, an alert is generated. The security of the system resides in the facts 
that in order to be able to hack the system, the hacker needs to have a snapshot of the values of 
all FSM's at a certain step, to collect the values of the steps taken into account in the history, and 
to get into the internal states of each device. All these manipulations need to be performed in one 
time step, which makes it a complex computational task and practically impossible due to the 
distributed character of the system. An additional measure is to allocate computation time of the 
CPU per device for the full 100% to the calculation of the numerical value by maximizing the 
number of previous states taken into account. If there is a need for compute time, the number of 
previous states is reduced. A virus needs a processing environment to be active. By means of 
fully occupying the CPU, there will be no computational environment available to the virus to 
settle. 

The invention can well be used in a home control network, wherein appliances have 
simple processors to generate the numerical value of the FSM's. 

BRIEF DESCRIPTION OF THE DRAWING 

The invention is explained below in further detail, by way of example and with reference 
to the accompanying drawing wherein: 

Fig.l is a block diagram with a monitoring system in the invention; and 

Fig.2 is a mathematical expression representing an FSM. 

DETAILED EMBODIMENTS 

In many different situations, there is a need to monitor the operation of a technical system 
to ensure integrity, security and correctness of the actions of the system. The type of system 
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considered below is one that is implemented as a distributed network of devices. The devices 
have CPU-based controllers and are capable of exchanging information. The operation of the 
system is considered as the operation of a network of FSM's or extended finite state machines 
(EFSM's) .An EFSM is an FSM with local constraints or local data variables. Examples of 
systems that can be modeled after FSM's are industrial automation and control systems, home 
networks, medical life support equipment, etc. 

One of the problems that the invention seeks to solve is how to build a control and 
security system that issues an alarm in case of a failure, that may be caused by natural or 
malicious influences. Another problem addressed by the invention is how to block unsanctioned 
re-programming hacking and software virus infestation. 

The inventor proposes several security layers that can be applied individually or 
combined in order to increase protection, robustness and security of the system. In the detailed 
discussion below the following definitions are being used: 

- SYSTEM: the conglomeration of the devices under consideration that needs to be monitored 
and defended; 

- DEVICE: a component of the SYSTEM that includes a CPU-based controller; 

- DEVICE STATE INFORMATION (DSI): control code calculated by some rules in the 
DEVICE'S memory, possibly including the DEVICE'S I/O message buffers; 

- CONTROL SERVER: computer outside the SYSTEM that is monitoring operations of the 
SYSTEM and that is capable of issuing the alarm; 

- SIMULATOR: simulation software simulating the SYSTEM as a distributed network of 
EFSM's. 

Fig.l is a block diagram of a system 100 in the invention. System 100 comprises a 
SYSTEM 102, e.g., a home network. SYSTEM 102 includes DEVICES 104, 106, 108. Each 
of DEVICES 104-108 has a respective FSM 1 10, 1 12, 1 14. System 100 further comprises a 
CONTROL SERVER 1 1 6 that runs a SIMULATOR 1 1 8 simulating the behavior of SYSTEM 
102 in software. The results of SIMULATOR 1 18 are compared with the states of DEVICES 
104-108 in an evaluator 120 to issue an alert upon detection of a discrepancy. 

In a first one of the security layers SIMULATOR 1 1 8 is run on CONTROL SERVER 
1 16. For each discrete time step the CPU of each of DEVICES 104-108 calculates a respective 
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DSI associated with the relevant DEVICE. This DSI is compared with a corresponding DSI code 
that is calculated for that DEVICE by SIMULATOR 1 18. A mismatch between these values is an 
indication of operational failure or of illegitimate reprogramming of SYSTEM 102. 

Fig.2 is a mathematical expression defining an FSM. A value X k (t) is calculated for each 
DEVICE (k) for each time step "t" according to this expression, wherein: 

- "t" is the current moment in time; 

- "k" is the index or label for DEVICE (k), running from 1 to M , assuming the number of 
DEVICES equals M (M equals 3 in the illustrated example); 

- "S k " is the DSI of DEVICE (k); and 

- "F k .) is the "k"-th component of a mathematical vector function chosen such that 
the set of M equations describes a stochastic non-periodical dynamic process. 

Accordingly, X k (t) for a fixed "k" depends on the values X of all DEVICES 104-108 
taken at the previous time step, on the DSI of DEVICE (k), and on the history of the value X for 
DEVICE (k). The length of the history taken into account is determined by the number N. 
SIMULATOR 118 calculates these values X k (t) for all "k" in each time step using the same 
mathematical correspondence. Each time step the values X k (t) as calculated by DEVICES 104- 
108 are compared with the values X k (t) as calculated by SIMULATOR 1 1 8. A discrepancy is an 
indication that the integrity of SYSTEM 102 has been violated. 

In order to reprogram any of DEVICES 104-108 or in order to issue some extra command 
directly and with effect on SYSTEM 102, a virus or a hacker has to penetrate all DEVICES 104- 
108 of SYSTEM 102 and has to collect the required history X k (t-1), X k (t-2), X k (t-N) for all 
DEVICES 104-108. Due to the stochastic nature of the evolution of the model given by the set of 
equations of Fig.2 5 all these manipulations are to be performed during one time step. This makes 
undetected hacking of interfering with SYSTEM 102 technically and computationally a very 
complex task 

A computer virus needs a CPU resource from at least one of DEVICE 104-108 in order to 
perform its tasks, including the activities of hiding and mimicking. The inventor therefore 
proposes to reduce or eliminate CPU idling in order to prevent creating a suitable environment 
for the virus. This can be done, for example, as follows. 

Initially, i.e., at t=0, SYSTEM 102 is loaded with equations as discussed under Fig.2, so 
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that it takes all extra CPU resources of each DEVICE beyond those needed for the primary tasks 
of the DEVICE. This can be one, for example, by increasing the computational complexity of the 
dynamic process by means of increasing the quantity N that determines the length of the history 
or recursion taken into account. If the DEVICE needs additional CPU power during operational 
use of SYSTEM 102, then the number N is decreased dynamically under control of an 
appropriate scheduling algorithm. These manipulations are performed on SYSTEM 102 as well 
as on CONTROL SERVER 1 16 so as to conserve the match between the calculated and 
operational values of the stochastic process. SIMULATOR 1 1 8 is therefore notified of these 
updates 122 to maintain this consistency. 

CONTROL SERVER 1 16 can be a trusted well protected apparatus in the same 
geographic environment, e.g., the home, as SYSTEM 102. Alternatively, CONTROL SERVER 
1 16 is a remote server of a trusted party. 

In summary, the inventor proposes to simulate in software a primary system of multiple 
devices and to evaluate the behavior of the actual devices with respect to the simulations in order 
to detect legitimateness of the system's operations. The devices have FSM's. A stochastic discrete 
set of equations is used to cross-bind states and inter-device messages so as to make it impossible 
to predict and pre-calculate the primary system's control code values. As an anti-virus measure a 
computational environment is created that minimizes availability of computational resources to a 
virus. The latter can be implemented by usage of dynamically variable depth of recursion in the 
set of discrete equations as a mechanism to absorb idle computational resources. 
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